[Comments-idn-guidelines-19oct17] IDNs have potential for a lot more homoglyphs than is neccessary

Anton Bershanskiy bershan2 at illinois.edu
Sun Dec 10 23:59:29 UTC 2017 

Dear IDN Implementation guidelines Working Groop,

Thank you for all the great work you are doing.

I got interested in IDN homoglyphs and would like to share a few
observations that I made (while IDN homoglyph generator based on IDN Tables
and Unicode Technical Standard #39). Also, I made a proof-of-concept attack
using an IDN homoglyph to do a man-in-the-middle attack on a website with
mixed content to make an illusion of HTTPS-secured connection.

1. IDN Tables are more numerous then necessary and are sometimes redundant.

Consider the following example: TLD .קום has 97 active IDN Tables, most of
which are from entirely unrelated languages and even different continents.
Note that two of these tables is Ukrainian and Cyrillic.
1.1. First of all, Ukrainian table is entirely unnecessary from usability
perspective, since no Ukrainian would ever use this TLD as we have a
completely different script system: Cyrillic. I can not even imagine how
someone would even type this address.
1.2. Secondly, Ukrainian is entirely included in Cyrillic, thus does not
really require a separate table. It might be a good idea to recommend
registrars to remove (retire) IDN tables that are proper subsets of other
tables or, better yet, not use overly permissive tables.
1.2. More importantly, Cyrillic contains a few code points similar to
Latin, thus might allow homoglyphs for some of non-IDN second-level labels,
that are recorded in in the DNS as usual ASCII strings (not Punycode).

2. I made a proof-of-concept man-in-the-middle attack with a Homoglyph.
2.1. Unsurprisingly, I was able to register a whole-script Cyrillic
homoglyph (in COM space) for a usual ASCII domain and
2.2. got a valid TLS certificate for it.
2.3. Then, I proxied all HTTP traffic on my computer via a server that
would redirect all HTTP for that specific domain to the homoglyph with
HTTPS.
3.3. This simple system allowed me to visit "secure" HTTPS original site
and then click an HTTP link to another page and be redirected to
HTTP://original -> my local server -> HTTPS://homoglyph, resulting in
visually undetectable man-in-the-middle attack.

Sincerely,
University of Illinois at Urbana-Champaign student
Anton Bershanskiy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/comments-idn-guidelines-19oct17/attachments/20171210/917324bc/attachment-0001.html>

More information about the Comments-idn-guidelines-19oct17 mailing list